Last year I made an announcement of MouseOverJacking - at 12.12.2008 in WASC Mailing List, and at 17.12.2008 at my site. But only now I found time to write an article about it.

MouseOverJacking - it’s a new kind of attacks on web browsers, developed by me in September 2008. These attacks can be used for using of different vulnerabilities in browsers or web sites, where pointing of mouse cursor at an object is needed. And so with help of MouseOverJacking technique it’s possible to intercept cursor’s move and to conduct an attack.

In article Clickjacking Details RSnake wrote about this attack vector. But I first gave example of this attack vector a month before (yet before first announcement of Clickjacking). Besides, he described very briefly this attack vector, which required separate article, which I did in my article.

The idea of MouseOverJacking attacks.

Main idea of this attack, on which I accented already in my announcement, that for conducting of this attack it’s needed only single move of mouse cursor. Only moving of cursor at one pixel in any direction (only one small move) - and it’ll trigger an attack.

If in ClickJacking a victim must to do a click, then in MouseOverJacking no click is required, only moving of cursor . So users of Internet must be careful not just with clicks, but even with moves of cursor.

The difference between common attack with using of onMouseOver event and MouseOverJacking attack in that, that in common attack it’s needed that a victim moves his cursor over required object (at a page), so the attack pass successfully. And in MouseOverJacking attack this process is going automatically, because a victim only needs to make single move at one pixel (which will happened right away at visiting of a page). So MouseOverJacking is designed for automation of attacks with using of onMouseOver event (in IE also onMouseEnter can be used), to increase their effectiveness.

Possibilities of using of MouseOverJacking.

There are possible the next attacks via MouseOverJacking:

1. XSS attacks with using of onMouseOver event.
2. DoS attacks on browsers.
3. Other attacks at pointing of cursor.

For conduction of MouseOverJacking attacks it’s needed to ensnare victim at the page with code of exploit (which can be made with using of CSS or JavaScript).

XSS attacks with using of onMouseOver event.

It’s possible to intercept onMouseOver events in Cross-Site Scripting vulnerabilities, when other vectors of XSS attacks are impossible at the site. For example, in case of filtration at the server or using of WAF.

For this in some cases it’s possible to use CSS. Or for this it’s possible to use invisible iframe, which is placed under user’s cursor (similarly to method of ClickJacking attacks). For this attack it’s needed to use JavaScript.

Recently I wrote about XSS vulnerability in Invision Power Board found by Xacker. In his advisory he gave an example of XSS attack with using of onMouseOver for bypassing filters in IPB 3.0.4. In this case it’s just XSS attack via onMouseOver (which I refer to Strictly social XSS), when it’s needed to wait until admin will point cursor at a text, to execute a code. But if to use my MouseOverJacking technique, then effectiveness of the attack will rise, because a code will execute right away when user will visit a page.

In given exploit for this vulnerability it’s needed to send request at the site and wait until admin will fall into a trap (i.e. it’s common XSS attack via onMouseOver). To speed up this process it’s possible to use MouseOverJacking attack (with invisible iframe or via CSS). And taking into account that after pointing of cursor a click will trigger, then this attack can be refer to kind of joint MouseOverJacking + ClickJacking attacks.

Protection from MouseOverJacking.

If JavaScript is using for MouseOverJacking attack, then for protection against these attacks it’s possible to turn off JavaScript in browser. Either manually in browser, or with help of proper plugins for browser.

If JavaScript isn’t using for MouseOverJacking attack, but CSS is using, then above-mentioned method will not help. But if MouseOverJacking is required for conducting of XSS attacks, then turning off JS will protect against XSS attacks (even if MouseOverJacking is realized via CSS). But it’ll not help against DoS attacks via MouseOverJacking.

In case of DoS attacks or any other attacks via MouseOverJacking with using of CSS, caution of user will help (it’s needed to visit reliable resources) and updating of browser to last version.

This entry was posted
on 20:06 29.12.2009 and is filed under Статті. You can follow any responses to this entry through the RSS 2.0 feed.

4 відповідей на “MouseOverJacking attacks”

please write it again is impossible to understand your article. It looks like you written it in an ackward way to hide the fact that the attack is not interesting. Show step by step real examples or you are just pretneding to find something new. thanks.

I wrote this article (translated from Ukrainian) as good as I can. So I am sorry, if it’s hard for you to understand this article. You can try to read my other articles (their English versions) in case if other ones will be better for you to understand.

the attack is not interesting

I don’t think so. For me it’s interesting technique which can be used for different attacks (as I wrote). For this reason I wrote my article. But it’s your own decision if this attack technique is interesting for you.

Show step by step real examples or you are just pretneding to find something new.

In “Examples of MouseOverJacking attacks” part of the article I showed real examples. What is incomprehensible for you in those examples?

You need to save those examples to new html files at your computer and run to see the result. For example of DoS attack on Google Chrome you need old version (Chrome 0.2.149.27) to see the DoS (crash of the browser). For example of XSS attack you need any browser - it works in any current browsers (I tested in my five browsers).

These types / kinds of attacks are not new. I’ve been using them for perhaps over a year now and I call / name it: “XSS with EventHandlers” because that’s exactly what it is.

In cases where has only been “blocked” by f.ex. preg_replace (seen in many cases), is just one of my favorite working examples of getting an alert box still.

In many other cases, I was inside tags like search-fields that would be located on a site where it would be almost virtually impossible not to mouse-over and thereby I used the “onmouseover” eventhandler.

In case there’s “auto-focus” on this search-field that I am talking about, the eventhandler known as “onblur” can also be used.

To conclude it all: It’s just a matter of how you can apply your knowledge with the current features of the browser you’re using to exploit a website with Cross Site Scripting.

In HTML5 it’s possible to use more onerror-eventhandlers due to more tags supports them.

Don’t confuse it with general XSS attacks with event handlers, because it’s different things. I wrote about it in the article - look at the paragraph “The difference between common attack with using of onMouseOver event and MouseOverJacking attack”.

I’ve been using them for perhaps over a year now and I call / name it: “XSS with EventHandlers”

I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different type of attacks. MouseOverJacking is automated attacks, while XSS via event hadlers is not (in most cases). MouseOverJacking uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.

In cases where has only been “blocked” by f.ex. preg_replace

As I mentioned, the idea is to make attack fully automated. And as I mentioned in this article and in comments to The future of XSS attacks article, for MouseOverJacking there are other attack vectors besides XSS (such as DoS, CSRF and others).

In HTML5 it’s possible to use more onerror-eventhandlers due to more tags supports them.

Thanks for mentioning, I’ll look at HTML5 specification (at new onerror-eventhandlers). But for now only some browsers support HTML5. So mouseover is only event which allows to make cross-browser and automated attacks with using of MouseOverJacking technique.